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THE MOR CRYPTOSYSTEM AND EXTRA-SPECIAL p-GROUPS 

AYAN MAHALANOBIS 

Abstract. This paper studies the MOR cryptosystem, using the auto- 
morphism group of the extra-special p-group of exponent p, for an odd 
prime p. Similar results can be obtained for extra-special p-groups of 
exponent p'^ and for the even prime. 



1. Introduction 

In this paper, we study the MOR cryptosystem with extra-special p groups. 
Similar studies were done, using the group of unitriangular matrices |I3J and 
the group of unimodular matrices [4J. The group of unitriangular matrices 
and the group of unimodular matrices are both matrix groups. There are 
many ways to represent a group - natural representations, like a matrix rep- 
resentation or permutation representation, or a more abstract representation 
in the form of generators and relations, commonly known as a finite presen- 
tation. In this paper, we shift our study of the MOR cryptosystem, from the 
matrix representation of a group to a finite presentation. We show that using 
finite presentation, in the form of generators and relations, one can build a 
secure MOR cryptosystem. 

In a MOR cryptosystem, one works with the discrete logarithm prob- 
lem in the automorphism group. On one hand, this is not a major change, 
because the discrete logarithm problem works in a group and the automor- 
phisms form a group. On the other hand, an automorphism group arises 
from any algebraic structure, like a graph, vector space, etc. So the MOR 
cryptosystem can be seen, as the one, that liberates the discrete logarithm 
problem from groups to other algebraic structures. 
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2. The MOR cryptosystem 

In this section we describe the MOR cryptosystem [|Tl[6l as automor- 
phisms of a finite group G, however it can be generalized to other finitely 
generated algebraic structures easily. A description and a critical analysis 
of the MOR cryptosystem is in [[3j| and the references there. 

2.1. Description of the MOR cryptosystem. Let G = {gi, 92, ■ ■ ■ , Or), 

T G N be a finite group and a non-trivial automorphism of G. Alice's 
keys are as follows: 

Private Key: m, m G N. 
Public Key: mg^)}U and {<P"'{9^)}U■ 
Encryption. 

a: To send a message (plaintext) a E G Bob computes (p^' and 0™'' for 

a random r G N. 
b: The ciphertext is , 0"'^(a)). 

Decryption. 

a: Alice knows m, so if she receives the ciphertext {(j)^, (f)"^^{a)), she 
computes (p""' from (p^ and then (f)~'^^ and then computes a from 

0'"'^(a). 

Alice knows the order of the automorphism (p, she can use the identity 

(p^^^ = <p)^^ whenever 0* = 1 to compute 0"*"^. 

3. Notations and definitions 
All definitions are standard and so are the notations. 

: The exponent of a finite group G is the least common multiple of 

all possible orders of elements in G. For a finite p-group, it is the 

largest order of an element in G. 
: The center of a group G, denoted by Z(G), is the set of all elements 

in G that commute with every element of G. It is known that Z(G) 

is characteristic. 

: For a group G, G' is the commutator of G and is the Frattini 
subgroup of G, see [|2l Page 2] for details. 
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4. The description and some properties of extra-special 

p-GROUPS 

For a given prime p, all groups of order are abelian. So the first non- 
abelian group G is of order p^. There is a complete classification of groups 
of order p^. For p = 2, there are two groups of of order 8, the dihedral 
group D^, and the quaternion group Qs- 

4.1. Groups of order p^, for an odd prime p. For a odd prime p, there 
are two non-isomorphic classes [|71 Section 4.13] of non-abelian groups of 
order p^: 

(1) M := {x,y\xP = 1 = y^; [x, y] = z E Z(M); z^ = 1) 

(2) N := {x,y \ y' = 1; [x,y] = x^ = z e Z{N)-z^ = 1) 

Both of these groups are 2-generator p-groups, the first one has exponent 
p and the second one has exponent p^. In this paper we study the MOR 
cryptosystem using M, similar study can be done with N and with the 
and Qs, with similar conclusions. Let be an automorphism of Af, then 
can be written as 

(3) 0(x) = x'^^x'^^z^^ 

(4) (j){y) = x'^''x''^z^\ 

Then [0(a;), = zdet(T)^ ^^^^^ ^ / "^i | _ rp^^-^ ^j^^^^ ^j^^^ 

\m2 n2 J 

M 

det(T) 7^ mod p. Notice that ^^^^ = Zp x Zp, and M is extra-special, 

hence the group of inner automorphisms of M, denoted by /, is isomorphic 
to Zp X Zp. This gives the following exact sequence: 

y Zp X Zp y Aut(M) y GL(2,p) y 1 

There are two kinds of automorphisms of M, one that is trivial on Z(M) 
and the other that is not. Since any automorphism of the center of M can 
be extended to an automorphism of M, the automorphism that acts non- 
trivially on the center are generated by 



(5) 



X I— 7- X, y ^ y 
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where 6 is primitive mod p. If we denote the automorphisms that are trivial 
on the center by H, then there is an exact sequence of the form 

> Zp X Zp > H > SL(2,p) > 1 

Since for M, the central and the inner automorphisms are identical, the 
inner automorphisms are of the form x i— )■ xz'''^, y h-j- yz'^'^, where < 
di, d2 < p. 

Hence we have shown that any automorphism of M is a composition 
of automorphisms, Q, inner automorphism and an element from SL(2, p). 
It is not hard to see that if (p is given by 

(f){y) = x'^^y'^^z^^ 

and 0™ is given by 

= x^'^'f^^'z^'' 

then 
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So the discrete logarithm problem in the automorphism {(f)) is converted 
to the discrete logarithm problem in GL(2,p). Once can use rrij and rii, 
i = 1, 2 in 0, such that, the matrix T is in SL(2,p). The best algorithm 
to solve the discrete logarithm problem in matrices is the Menezes-Wu al- 
gorithm [5J. That algorithm finds the eigenvalues of the matrix and the 
eigenvalues of the power of that matrix, and then try to solve the discrete 
logarithm problem in those eigenvalues. So if the characteristic polyno- 
mial corresponding to the matrix of cp is irreducible then the complexity to 
solve the discrete logarithm problem in and 0"^ is identical to solving the 
discrete logarithm problem in ¥p2 . 

4.2. Extra-special p-groups of exponent p. An extra-special group P is 
a p-group, in which the center Z(P), the commutator P', and the Frattini 
subgroup $(P) are equal and cyclic of order p [7 , Definition 4. 14]. The two 
most important extra-special p-groups are M and above. Extra-special 
p-groups are well studied and their automorphism groups was described by 
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Winter [fSl. We don't want to redo all the work done by Winter but refer an 
interested reader to his paper (HI. 

Let P be the iterative central product ^ Section!. 2] of M with itself r 
times. As we know M is a group of order and exponent p. This makes 
P an extra-special p-group of exponent p. The finite presentation for the 
group P is the following [j2l Page 33]: 

P = (xi, ...,Xr,yi,...,yr\ [xi,yj] = 1,« 7^ j; [xi^Vi] = z e Z(P)) 
each of Xi, Ui and z is of order p. 

P 

One can define a non-degenerate, bilinear alternating form, B, on 



$(P) 

as a vector space over Zp [21 Page 33] . Let x,y e P, and x,yhe their image 
P 

in ^^p^ ■ Then B {x, y) = c, where [x, y] = z'^. 

Description of the automorphisms of P involves three steps. 

A: Find all automorphisms that are non-trivial on the center. 

B: Prove that an automorphism preserves the bilinear form if and only 
if it acts trivially on the center. Let H be the subgroup of the auto- 
morphism group that acts trivially on the center. 

C: Prove that Bjl = Sp(2r, p). Where / is the subgroup of inner 

automorphisms of P and Sp(2r,p) is the symplicitic group on the 

P 

HP) 

We briefly sketch the proof of the above three assertions, for details, see (S]. 
It is known that for an extra-special p-group the inner automorphisms are 
identical to the central automorphisms. Hence the inner automorphisms are 
given by 

Xi^Xiz'^', yi^yiz'^i 

where < rfj, d'- < p. Clearly there are p^" inner automorphisms of P. 
(A). The automorphisms that doesn't act trivially on Z(P) are given by 
powers of 2; z^, where 6* is a primitive element mod p. Notice that Z(P) 
is a cyclic group of order p. Hence these automorphisms can be defined by: 



vector space ^77^ over Zp, defined by the bilinear form B. 



(6) 9 : Xi^ Xi, yi ^ y\ 



where 6 is primitive mod p. Clearly, 9 is of order p — 1. 
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(B-C). Corresponding to an automorphism (f> of P, one can trivially define 

- P 

an automorphism <p on ^^^^ . Then the automorphism preserves the bi- 
linear form B if and only if acts trivially on Z(P). This follows from the 
equation 

Hence there is a homomorphism t : H ^ Sp(2r,p). It is easy to see that 
the kernel is the set of inner automorphisms /. This proves that H/I = 
Sp(2r,p). 

By an argument identical to the MOR cryptosystem in M, one can reduce 

the discrete logarithm problem in the extra- special p-group P to that of a 
discrete logarithm problem in Sp(2r, p). The discrete logarithm problem in 
Sp(2r, p), in the best case scenario (irreducible characteristic polynomial), 
embeds into an discrete logarithm problem in ¥p2r. 

5. Conclusion 

The discrete logarithm problem is the backbone of many modem day 
public key cryptosy stems and key exchanges. A MOR cryptosystem gen- 
eralizes the central idea of the discrete logarithm problem from a group to 
any finitely generated algebraic structure. 

It was an open question, if one can build a secure MOR cryptosystem 
using the finite presentation of a group. We have shown that the answer is 
yes. 

The situation with other extra-special p-groups is almost identical. 
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